Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests.
According to Reuters, the data leak spanned a year beginning in 2012.
Sunday, June 23, 8:15 PM PST: Updated at page bottom to reflect response statements from Facebook.
The personal information leaked by the bug is information that had not been given to Facebook by the users - it is data Facebook has been compiling on its users behind closed doors, without their consent.
A growing number of Facebook users are furious and demand to know who saw private information they had expressly not given to Facebook.
Facebook was accidentally combining user's shadow profiles with their Facebook profiles and spitting the merged information out in one big clump to people they 'had some connection to' who downloaded an archive of their account with Facebook's Download Your Information (DYI) tool.
According to the admissions in its blog, posted late Friday afternoon, Facebook appears to be obtaining users' offsite email address and phone numbers and attempting to match them to other accounts. It appears that the covertly collected information is then being stored in each Facebook user's invisible 'shadow profile' that is somehow attached to accounts.
Users were clearly unaware that offsite data about them was being collected, matched to them, and stored by Facebook.
Looking at comments on Facebook's blog and community websites such as Hacker News, Facebook users are extremely angry that the phone numbers and email addresses that are not-for-sharing have been gathered and saved (and now accidentally shared) by Facebook.
Facebook stated in its post yesterday that the bug was resolved, but Facebook users are telling a different story today in the comments.
One man commented this afternoon, "I just downloaded the "extended backup" and I'm still viewing emails and phone numbers that are NOT PUBLIC!!!!"
Facebook explained in its post that the bug shared information about a user that had been scraped from a source other than the personal data the user had ever entered into Facebook about themselves.
The action of the bug is that if a user downloaded their own Facebook history, that user would also download email addresses and phone numbers of their friends that other people had in their address books, without their friends ever knowing Facebook had gathered and stored that information.
This data is being gathered by Facebook about individuals through their friends' information about them - harvested when a user grants Facebook address book or contact list access.
Facebook did not specify which app or contact database tool was utilized when collecting and matching offsite-sourced data about users.
The social network said that it was harvesting and matching the offsite-sourced data to user profiles - creating these shadow profiles - "to better create friend suggestions" for the user.
Facebook users are deftly reading between the lines. One commenter on Hacker News observed wisely,
The blog says the fix was made in the DYI tool. That means they would continue to maintain "shadow profiles", but would stop letting others know that FB has a shadow profile on you.
Facebook's post downplays the significance of the data breach by telling users that while six million accounts were exposed, very few people saw the personal phone and email data because it could only be seen when a user downloaded their Facebook history.
The social giant assured users their shadow profiles were shared only with Facebook users they were somehow connected to,
if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.
Facebook did not specify in its post what is meant by "somehow connected to" and comment speculation is attempting to fill in the gaps.
According to Reuters, who spoke with a Facebook representative, the data was being exposed in this manner for about a year.
What the revelation means is that Facebook has much more information on us than we know, it may not be accurate, and despite everyone's best efforts to keep Facebook from knowing our phone numbers or work email address, the social network is getting our not-for-sharing numbers and email addresses anyway by stealing them (albeit through 'legitimate' means) from our friends.
The yearlong gap of exposure as described by Reuters creates a scenario of horrifying possibilities for any woman who has begin to experience harassment, abuse or stalking by an ex within the past year. Or, anyone being maliciously stalked and harassed by a tech-savvy aggressor (or a stalker's Facebook sock puppet) they may have accidentally friended over the past year.
This could be remedied and harm would be greatly reduced if Facebook addressed and answered the growing demands of its users to know who has seen their non-Facebook private data.
What it means for me is that even though I've been very careful not to give my phone number to Facebook or the men in my "friends," the guys I've 'friended' might have gotten my phone number anyway, regardless of my consent. I did not know they may have been able to get my phone number throughout the course of a year, and now I have no way of finding out who might have gotten my phone number.
I am glad I've never used a Facebook app or allowed Facebook access to my contacts in any way whatsoever. (Yay paranoia.) The private numbers and emails of my friends and colleagues should remain exactly that: private.
Facebook has officially stated that it does not know of any malicious use derived from the bug.
This appears to be the first time Facebook has publicly admitted that users' shadow profiles contain more than native data (such as posts or information you deleted but are retained by Facebook) and also contain data that Facebook has harvested.
Meanwhile, anger continues to rise on the Facebook post, and as of this writing there are no representatives from Facebook in the comments to quell the storm.
UPDATE Sunday, June 23, 8:15 PM PST: In an email today from Facebook Policy Communications, ZDNet learned that concern about collection, storage and shadow profiling of contact data is the sole fault of users who failed to read (or remember) the Facebook policies they agreed to when they were getting started on Facebook.
Facebook said that users should already know about the contact collection practices because they are told about it on this page. It states that their address book contacts will be saved to Facebook servers and stored, then used in cross-matching contact data to other users.
(However, I'd be remiss not to point out that this page does not tell users they are agreeing to have this type of data collection done about them, as well.)
Facebook did not directly answer my request for a statement in response to user anger regarding data being collected about them and attached to their accounts without their consent (the shadow profiles).
In answer to this question, Facebook again directs users to re-read the "Finding Friends" section of Help Center > Get Started on Facebook.
Facebook's emails did help to clarify some aspects of its users' shadow profiles - users' combined data.
Facebook's representative told me that the data is not obtained through an app or database tool. Data about you is obtained by the seemingly innocuous voluntary actions on Facebook of people you know.
In Facebook's explanation, it is obtaining data on individuals in a form of third party collection through voluntary user submission. It is reasonable to conclude that the data is only involuntarily collected and saved for the people the data is matched to - in this case, the six million accounts that were affected.
Facebook said that it would take "precise and coincidental timing" for a malicious person to use the DIY tool with intent and obtain Facebook's combined (shadow profile) data on a targeted user. Yet we know the bug was live for a year, and combined with Facebook's admission in the blog post regarding false positives, it's a fair guess on our side to suspect that a non-trivial risk remained.
Facebook did not respond to my request for a statement regarding user demands to know who had seen their shadow profile contact information.
UPDATE Tuesday June 25 5:40 PM PST: added links to new ZDNet investigative article about security team findings on Facebook's shadow profiles.